Analysis
-
max time kernel
120s -
max time network
149s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
03-10-2024 22:21
Static task
static1
Behavioral task
behavioral1
Sample
dbccdff96a947a5a461a9c794db7bf1e704dc5371fd6a3cb0bbdb412d0854818.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
dbccdff96a947a5a461a9c794db7bf1e704dc5371fd6a3cb0bbdb412d0854818.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
dbccdff96a947a5a461a9c794db7bf1e704dc5371fd6a3cb0bbdb412d0854818.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
dbccdff96a947a5a461a9c794db7bf1e704dc5371fd6a3cb0bbdb412d0854818.apk
-
Size
4.8MB
-
MD5
d98de9f671d6aa0174ec3ea0e0bddfec
-
SHA1
303e407a5b037edcfe39c56452c96064a0b48120
-
SHA256
dbccdff96a947a5a461a9c794db7bf1e704dc5371fd6a3cb0bbdb412d0854818
-
SHA512
7e322b4acacb0997045842ca9222cbbde8ffda0bd5ac808a0ce975c5fe4c75e13b2deb33cc1f7887e70ed11c2e2697d725a1cccb200d3d0fa1b61adfa25f725b
-
SSDEEP
98304:i+fYMQWkZNz2GKsglGc+vx0lTeHuCUXW+cs/Re6EDk:iGeFLppgcc+vKlTZGDs/Re6EDk
Malware Config
Extracted
anubis
https://google.com
Signatures
-
Anubis banker
Android banker that uses overlays.
-
pid Process 4256 com.tencent.mm -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tencent.mm/app_mph_dex/classes.dex 4256 com.tencent.mm /data/user/0/com.tencent.mm/app_mph_dex/classes.dex 4285 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/classes.dex --output-vdex-fd=41 --oat-fd=43 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.tencent.mm/app_mph_dex/classes.dex 4256 com.tencent.mm -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mm -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts com.tencent.mm -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/data/phones com.tencent.mm -
Reads the content of the calendar entry data. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.calendar/events com.tencent.mm -
Reads the content of the call log. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://call_log/calls com.tencent.mm -
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.tencent.mm -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.tencent.mm -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.tencent.mm -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.tencent.mm -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.tencent.mm -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.tencent.mm -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the calendar entry data.
- Reads the content of the call log.
- Requests cell location
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4256 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/classes.dex --output-vdex-fd=41 --oat-fd=43 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4285
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Execution Guardrails
1Geofencing
1Foreground Persistence
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Input Injection
1Discovery
Location Tracking
1Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.6MB
MD5302e71be0e6d47632c3769c72da585b7
SHA1124f1bb806acff41157abef543a838ff0ce53b07
SHA25666fbdef34021b43ecf328360a6e50ed2fd2fb6c2d568e15775027234649c1a6e
SHA5128743061a172d844b0d397930c17c4153df4a895cfe2845d58fea3fcde4ce66aa94d1ba1d5a0ae4859772b57b7fb4c777cfa4c2681c3309ceff450cec234ce7b1
-
Filesize
586B
MD539dc1f11c11b25386fd2eb93a5eceb59
SHA1f2368f267636abc29e1a24192233c109505d2c4e
SHA2561dba607e43412210e65297287177563e2779e855e65685e2ea5537783c4b6f86
SHA5120c3d45b13b43eaadf8c5ff02868fadbf01802d8256895d5a46c08c173d9c6d696f65cf6e041df52bebc2cf2a99812c2b70707e253843dd514d5bf6004ad41899
-
Filesize
512B
MD50ebda0f3e9cd51c3c264135187203ff7
SHA15b01202d45340ece87fa37987509a4eeaa5360a0
SHA2565cb4cedb481f0438aad7291c22b691ca3e47dd01e7610adcd0ec682196fec722
SHA5125e7d23ddd1be1e9b86a3de4aa93e6b97270fa70eb45a179c7e9e18c861962be5b1bef9906be7fde8952fd57e27c9c6d486d36061877462b0dd68c783d4eff5a7
-
Filesize
60KB
MD5bb6885af881d3ba26b49fef4e989d1c7
SHA1f0956c0b50f311515fd0829185321ba1b9064d0f
SHA256a587d943faddbdfc29c1fe63c2e4bc01d335a12f73d2d50fbd6e9fb1c45eb24c
SHA5123f1e9f2fb2e4a81053a42494d2bd603d396f32129a2997503f7d38780514f98c230c39aee336ab0ff2952aa3cbdd2e6add318c9f9fa5bf60e2da3944a64905f8
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5a5276940911d539f55515d5b514dad0a
SHA1a7ea7145e56b7175ff6de9cc8138717cbbe7e058
SHA256192778a54a0e1dd27a577d2cc6accda45d1e528fcba61b031e19a15e4b0ef6a6
SHA5120fab3dcf6a424891b82228451866a01fec2e35ae89b19da31e121788092abad101b252fb9834922674204c795926494d927c919fd6827aa73957937b22fcc4cf
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
44KB
MD5fc5ed16f725fd5825370a4699529c2a6
SHA177c44196138583ff4e8dd012cd64539a19a79fb7
SHA25654b4d0a4004b095f930504fcccdee20249f3b651c579e621c7d24766583a169e
SHA512918ccaa04c0bcf926ee32bb7fbc66a96418eb98fac0bfda0c0e67c04ca3e4cd4a6afbed6b6a68bea4022010fb9b528bf97330c715a65306b915e8e32912f7485
-
Filesize
3B
MD558e0494c51d30eb3494f7c9198986bb9
SHA1cd0d4cc32346750408f7d4f5e78ec9a6e5b79a0d
SHA25637517e5f3dc66819f61f5a7bb8ace1921282415f10551d2defa5c3eb0985b570
SHA512b7a9336ed3a424b5d4d59d9b20d0bbc33217207b584db6b758fddb9a70b99e7c8c9f8387ef318a6b2039e62f09a3a2592bf5c76d6947a6ea1d107b924d7461f4
-
Filesize
116B
MD5624e826ba2f53df001a0ac2a07cee91b
SHA1ca00efb564395d076eedda03665275303dc2449c
SHA256a84a41c36b92f52a3563b2a268ac8258fad5470fbf799483817a6cbf423fe30c
SHA51208a13f429d218277a8a88888b52b01e0547d6a5095f222ce2bc87a95c3bb4b29c87b71e7912cc407c52042dedc5274653a9fdbad24a4bed5ebcc59fcfaf949c8
-
Filesize
126B
MD59d5b9e6a73dd329fc8b031f3ca2ffcec
SHA1077ce59bc125cada3e2a8460b67dfacead12f5b3
SHA256e313d802e98aaf6a3794e584dd081d0774174637838ab8e3c2ca4c5908df1c89
SHA51225f470317e42144cdefe885e9de17205d92251360cd23b9f8c0dc8b3d70a93eae4687d27412ea189adaaf4ec491e3eafef05e8a2823e58311aab64e8c5cbf202
-
Filesize
116B
MD5cb6a279614da30384426937f5740338b
SHA113b0710f5ae6781ef7798e0c786fa5a75f4c5283
SHA256b4b193f13caf77fc484254b660f4cfb74958357c4ff8dc7b8101413cff120fc2
SHA5125865c715b4af90ec33673738869bdf757920ce80c11012ae162714c1e45889353973fcee1756e54dfa97e4252bbc8eb96bcec94fb2d032ab1bd65ec26e76eae4
-
Filesize
126B
MD50da155ccb7d858919b2193aaa4e1e681
SHA19c0ba3a0ca15fb95d6fcbb5157d33846603fe5ed
SHA25681a7281da5e288321c53021a77ac8e4866c30e4d88903a304b93a49c216d90df
SHA512fb8c6c670e81a8dd34560599f317ee557cff8f283f45380ed33ffbe303d62398cdb5596e543725980c5afc4197e89206cc04154048eb55b8486e6421828ffe4c
-
Filesize
281B
MD5f09b17fa60ecbab295508b8eef513af5
SHA1ac46448901d131ef4605e576fb2d4cfcc3c9f688
SHA256c514bcc94fff664ddd9efa22d5662128c24c11d061061e14d02b3e61db291a07
SHA512054b098a272e331f871db61e33a94765e44836c81dd27ba44a041861f0e954c4ab7eda3b8391cf172738b5f30d34605d9ff25d3589ec4fe7ac394d9d32f8fa82
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
609B
MD548e6941039931db6708677e86bff2252
SHA1868b3cb565bddcafb1f7543b0aba509eb7afe66c
SHA256ba0c7efd1b07b03373642ce076fb5d7eb802f6a0ba0e97313f4dbbd40052ec23
SHA51233cad4578700824c9745cc2c85503698b52991180f75df63a810a2033fd32b7413583815a94f7f4ce2787228ffee576ef794dd9074ec8edf4e148ffe14431282
-
Filesize
5KB
MD5b347f6188ee025209e17f01cfa375d5a
SHA1098682537f524c32d6be1e2a99b6a8a3e1b320d8
SHA2567fece2f8e545a48c3b15c5cafa9a903c9bbe86de0320da217e856566bee13bec
SHA51288a026ab14001c6ad2c51432870691bcc2c95d2e1497380af1b1ce1c80bbbcc94a4f6bccee31a9edfec3ccc634a89f0b910b0ee0b9a75cba6be555ea37d52ffa
-
Filesize
10.6MB
MD5f81febe1ce21523f67265f756a5ec62e
SHA1b288942255fe4c18a775125a553746985a95db27
SHA256598cdb3ba743f75ef70bf40cf1a6cfa8bea8d6e5b47c208b7c6bcfce9d7a64e2
SHA5124fc06dc8e731e4bd7f95226f8a71585fd9c5365ef26d1e2bacdb694c9f04a49f210c30fbcb60db2e4c0d352a38645dbad6aa448ecd93bddbc35d69aa44352864
-
Filesize
12B
MD5a9256f55737b655c8cff95418411997c
SHA1d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24
SHA256bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412
SHA51210d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574
-
Filesize
12B
MD5e48057c3603c907cacbe1568a7dbfc41
SHA16e100086b53e20e499a9be069aa1b452faf82ba3
SHA2564b36685dbf772b2de007f4c98f824966f4f3a132075692d3d3d8f11e84e5468e
SHA512787e1140832e8c308039f0287ee801c00040544d5241425b0c0c8e8dc19ecf3feefa50706723f7a21be209c13b24ab3dbe0691ec42118fdfe18611b13155fb9a
-
Filesize
267B
MD5cb0b0c34caf7d1ecdf4b2c506fd566d3
SHA180f7d29156890eca87a10ca1b8fdece867d9b7cc
SHA256a8012788df8b83994d196fc55884affe5ccbcc27de5550959b57cec030d3c1ef
SHA512a6d462191b37097a75d0c0a9328e94232981d69ee610ec9fd011bbf636bebeff6bc9a51d8a3936474c1295dab0a7257ee1122c41f926f090e7f2428c2626f484